| Author |
Message |
aaly
New Member
Joined: Jan 02, 2006
Posts: 20
|
 Posted:
Sun Jun 11, 2006 11:47 am |
|
I thought i did the setup right couse i dont see any errors but then i recieved mails about hacker attacks and that the ip is banned but in the administration it says There are currently no IP addresses in the database, so what could be wrong i have no idea ??
Code:Date & Time: 2006-06-11 13:52:51 CEST GMT +0200
Blocked IP: 66.77.136.
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: libwww-perl
--------------------
User Agent: libwww-perl/5.69
Query String: .../modules.php?none
Get String: ...../modules.php
Post String: ..../modules.php
Forwarded For: none
Client IP: none
Remote Address: 66.77.136.
Remote Port: 37153
Request Method: GET
--------------------
|
That is a copy of one of the mail i receive from sentinel (my domain and ip adress of attacker commented out) |
| |
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
| Posted:
Sun Jun 11, 2006 12:51 pm |
|
Did all your tables make...do u have a nuke_nsnst_blocked_ips and do u have the harvester blocker configured to block the ips? |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
   
  |
|
aaly
|
| Posted:
Sun Jun 11, 2006 1:00 pm |
|
| darklord wrote: | | Did all your tables make...do u have a nuke_nsnst_blocked_ips and do u have the harvester blocker configured to block the ips? |
All the tables are installed including nuke_nsnst_blocked_ips, harvester blocker is set to block ip`s. Manually I can ad ip`s to the blocked list but sentinel wont do it automicly |
| |
|
|
|
|
gregexp
|
| Posted:
Sun Jun 11, 2006 1:02 pm |
|
what version of sentinel are u using? |
| |
|
|
|
|
aaly
|
| Posted:
Sun Jun 11, 2006 1:07 pm |
|
I just updated to the last one from 2.4.2pl6
Blocker is set to e-mal, block and default page is that right ? |
| |
|
|
|
|
gregexp
|
| Posted:
Sun Jun 11, 2006 2:21 pm |
|
yes thats right...curious why sentinel does not put the ip in the database...u should see if errors are turned on in ur config.php and let us know if it displays an error. |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Sun Jun 11, 2006 2:32 pm |
|
Your settings for harvester look okay. Is it writing the IP to htaccess? If you block the IP manually does it write to htaccess? If you look in the blocked_ip table after blocking an IP manually is it in there?
If you do "display blocked IP's" from Sentinel does it list any. If you manually block one and do "display blocked IP's" does it list any? So many questions, I know, but we need the answers to narrow it down. |
| |
|
|
|
|
aaly
|
| Posted:
Sun Jun 11, 2006 2:54 pm |
|
Manualy the ip gets listed in sentinel administration, in .htaccess and in the database table nuke_nsnst_blocked_ips so i think manualy works. |
| |
|
|
|
|
gregexp
|
| Posted:
Sun Jun 11, 2006 3:00 pm |
|
this is definitlet weird and not makin any sense did it display an error? at all..ban ur own ip...then see if it blocks u...and check ur tables to see if its listed...on RARE occasions ive seen when the database is laggin or servers gettin hit with a d-doss attack...sentintinel doesnt ban the ip properly...i have been told this is a way that hackers bypass sentinel...but if it writes to the .htaccess it will block them anyway. |
| |
|
|
|
|
aaly
|
| Posted:
Sun Jun 11, 2006 3:14 pm |
|
my database was lagging today becouse of ip tracking in sentinel, i have a high frequent site since i turnde ip tracking off site responds normal again. I dont see any errors, manualy ban gets listed, automaticly i recive just the mail but seninel did not ban the user, there is no entry in the database and none in .htaccess |
| |
|
|
|
|
fkelly
|
| Posted:
Sun Jun 11, 2006 3:26 pm |
|
I know it seems redundant but just to confirm:
- You are running Sentinel PL9 ... it says that at the top of your Sentinel screen.
- You got that email telling you about the harvest attack and you had your harvester settings set to block the ip's before that happened
- You can block the same IP's "manually" and it takes.
I'm just wondering now when you started with Sentinel and whether all the upgrades have gone okay. What was the first version you loaded? Has it been blocking IP's okay up to now or is this your first attempt at running it?
The Harvest attack is more of a nuisance than anything pernicious and maybe we should just wait a bit and see if it happens again and then post it here. I know the Sentinel folks are hard at work testing revisions now but it's a little hard to simulate something like this but it is certainly something to watch for, if Harvest attacks aren't being properly banned, and we'd appreciate it if you'd post anything further along that lines as well as just confirming the questions above. |
| |
|
|
|
|
aaly
|
| Posted:
Sun Jun 11, 2006 3:44 pm |
|
My first version was 2.4.2pl6 i installed it a week ako first time since that time i recieved a couple of mails with Abuse-Harvest as a reason for banning but non of the listed ip`s in the mails are actually banned. They are not in the database and .htaccess file listed. As i told before i don`t see any errors and manualy banning works like a charm. Today I updated to 2.4.2pl9 but didn`t recieve any mails about attacks so I don`t now if it works now or not |
| |
|
|
|
|
aaly
|
| Posted:
Sun Jun 11, 2006 4:50 pm |
|
I just recieved a new mali about Abuse-Harvest but this time the user is banned, seems that now sentinel works probably but I still dont now why it did`t work in version 2.4.2pl6. However my problem is now solved, thanks fkelly & darklord for your quick replys |
| |
|
|
|
|
fkelly
|
| Posted:
Sun Jun 11, 2006 5:36 pm |
|
It has been a pleasure aaly. Keep us posted if the problem reoccurs. And keep checking those logs. |
| |
|
|
|
|
erald
New Member
Joined: Dec 13, 2004
Posts: 21
|
| Posted:
Fri Jun 23, 2006 12:20 pm |
|
Hello,
I do have exactly the same problem with Arthor blocker. I do get an email but no writing into the database and htaccess.
The client gets the black page that he is blocked but can go back and just continue. Now he is registered as an administrator, might that be the problem? |
| |
|
|
|
|
gregexp
|
| Posted:
Fri Jun 23, 2006 8:03 pm |
|
Yes that would be a problem.
Now just to confirm, You have your authors blocker set to e-mail, block and default page.
and also you have the path to .htacess set correctly for your .htaccess, and its chmoded to 666?
These are the things everyone should check. |
| |
|
|
|
|
erald
|
| Posted:
Sat Jun 24, 2006 2:36 am |
|
| darklord wrote: | Yes that would be a problem.
Now just to confirm, You have your authors blocker set to e-mail, block and default page.
and also you have the path to .htacess set correctly for your .htaccess, and its chmoded to 666?
These are the things everyone should check. |
Yes everything is set.
In the meantime I found the problem. The fact you are logged in as administrator makes you will not be blocked. But somehow also the fact you have been previously logged in as administrator makes you are not getting blocked. However if you close the browser and restart it and not logged in or as normal user you will be blocked when testing an abuse.
It took some time for me to figure this out and even made me reinstalling everything and restarting the client PC. Then it works like a charm. |
| |
|
|
|
|
gregexp
|
| Posted:
Sat Jun 24, 2006 11:59 pm |
|
ahh u tested a script while u had ur ip protected....doh
glad u found the issue. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
